Sponsorship, signed driver and license ideas and challenges

[nefarius]

@vadimgrn If you think this topic should be a discussion, feel free to migrate it!

Hello there!

After lurking and following this project with great interest I have a few questions, suggestions and recommendations regarding the topics mentioned in the issue title.

Signed driver

regarding #13

Let's start with the most juicy one first: my company would be willing to dance the "Microsoft Partner Portal Submission and Driver Attestation Signing" dance for the Windows kernel components of the solution, meaning making a production-signed copy available that would support Windows 10/11 x64/AMD64 with or without SecureBoot enabled. I see a lot of potential and use-cases in this project and among the forks out there appears to be the most well-maintained and thought-through.

However, next to the topics that are in the way of this adventure.

Use of the GPL-3 license

From my understanding by browsing the projects, the entire repository and all sub-components (Windows/Linux userland libraries, Windows device driver(s)) follow the GPL-3. This is problematic for a multitude of reasons.

Incompatibility with the Windows Driver Ecosystem

Windows device drivers are technically incompatible with the GPL (2 and 3) since their strong copyleft restrictions would demand, that components of the Windows kernel that have to be linked against are available to the public as well. This is an unavoidable and unsolvable conflict, since no matter which device driver architecture you build your driver with (WDM, KMDF, UDE, ...) you have to link against the closed-source DDIs or your binary would basically be non-functioning.

Unfortunately this is not really well-known and the closest public statement to demonstrate this is found in the last paragraph of virtio-win/kvm-guest-drivers-windows. This means that Microsoft even actively rejects WHQL submissions of GPL'ed drivers.

To my knowledge, the attestation signing procedure is blind to this flaw, but just because it works doesn't mean it is correct 😬

Now, for the hobbyist and private individual this may seem like boring nit-picky details, and nobody may ever raise an eyebrow and turn it into problem, but that is unfortunately not what company lawyers like to hear 😅 ("No plaintiff, no judge.").

I ran into this with my own FOSS driver a long time ago too, I since settled on the 3-Clause BSD License although Apache 2 and MPL are a compatible choice too.

Incentive for contributions constrained

The GPL tries its best to turn users of free work into contributors so the balance between those creating and those merely taking without giving back is more or less maintained.

Imagine the following (fairly common) scenario now: a company would love to build upon this project and is willing to contribute back code whenever there's a need for change (bug fixes as a prime example). Their core app/product is designed as proprietary/closed-source and they simply interface via e.g. the provided libusbip with the driver. The GPL would now demand that - even if we link dynamically, not even static - the product interfacing the (unmodified and publicly available) would need to be open-source too. This is in many (most?) cases neither possible nor desired and would also ultimately not benefit this project, since it forces opening up code that isn't really relevant or beneficial to the project.

This will immediately drive away any potential contributor that aims for integrating into non-FOSS applications, we now have no winner in this scenario; the contributor may be willing to join forces with the project and provide enhancements, but in return can not even use it themselves? Everyone lost.

Ideas and potential solutions

As you can see, we orbit around the chosen license doing more harm than good, for hobbyists and corporate entities alike. Now not all is lost though, there are multiple ways forward, although none are entirely without obstacles.

Re-license under more compatible license(s)

Someone feel free to correct me but as far as my research got me, there is no way to rectify the shortcomings laid out above without a license change. This is unfortunately not done in one afternoon, the following points need to be covered/resolved:

• a CLA (Contributor License Agreement) was not used, therefore all past contributors, not just the current core maintainer, would need to be contacted to agree to a change since parts of their work have been added without them "signing away" the copyright of their work (however tiny it may have been). Contributions from authors that do not respond or deny the license change would need to be removed or rewritten.
• A suitable new license that both covers the WHQL restrictions and the needs and visions of the maintainers needs to be chose. The non-kernel components could make use of either the same new license or a different one, that doesn't force copyleft to bleed over into proprietary apps. Suggestions:
  • Driver components: BSD-3-Clause, Apache 2, MPL 2 (technically even GPL-2, but...)
  • Other userland components: Lesser GPL variants or more permissive like MIT, BSD, etc.

Offer a dual-license model for commercial projects

It is quite common to dual-license to allow commercial use under a separate commercial license. This is only possible if the licencor owns the majority of the code, since without a CLA one single person couldn't just make this decision for all other contributors.

If both of the above fail, only a rewrite from scratch of the affected components under a more permissive license would be an alternative.

A quick git-fame run shows we would have to get at least the top 4 contributors into this discussion:

Total commits: 1681
Total ctimes: 16445
Total files: 310
Total loc: 85864
| Author                 |   loc |   coms |   fils |  distribution   |
|:-----------------------|------:|-------:|-------:|:----------------|
| Vadym Hrynchyshyn      | 58646 |    921 |    242 | 68.3/54.8/78.1  |
| KyungWoon Cho          | 13888 |    228 |     21 | 16.2/13.6/ 6.8  |
| cpeacock               | 12054 |     11 |      2 | 14.0/ 0.7/ 0.6  |
| vadimgrn               |  1193 |    397 |     26 | 1.4/23.6/ 8.4   |
| arjanmels              |    25 |      4 |      1 | 0.0/ 0.2/ 0.3   |
| matt mooney            |    24 |     12 |      6 | 0.0/ 0.7/ 1.9   |
| George Hopkins         |    11 |     12 |      1 | 0.0/ 0.7/ 0.3   |
| Nathan Raggett         |     7 |      1 |      3 | 0.0/ 0.1/ 1.0   |
| Vadym                  |     4 |      9 |      2 | 0.0/ 0.5/ 0.6   |
| Jan Kubalek            |     4 |      8 |      2 | 0.0/ 0.5/ 0.6   |
| Alexandre Demers       |     4 |     16 |      2 | 0.0/ 1.0/ 0.6   |
| Brandon Ros            |     2 |      4 |      1 | 0.0/ 0.2/ 0.3   |
| lepton-wu              |     2 |     24 |      1 | 0.0/ 1.4/ 0.3   |
| Bartlomiej Cieszkowski |     0 |      2 |      0 | 0.0/ 0.1/ 0.0   |
| Bartłomiej Cieszkowski |     0 |      2 |      0 | 0.0/ 0.1/ 0.0   |
| Daniel Mitchell        |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Dejan Milic            |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Marc Capdevielle       |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Martin Drab            |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Paul Peavyhouse        |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Peter Dons Tychsen     |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Rex Han                |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Richard Pasek          |     0 |      3 |      0 | 0.0/ 0.2/ 0.0   |
| Samo Pogačnik          |     0 |     10 |      0 | 0.0/ 0.6/ 0.0   |
| SiLeader               |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| StoyanDimitrov         |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Sven Luebke            |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| Wqrld                  |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| chenfayu               |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| rgsilva                |     0 |      2 |      0 | 0.0/ 0.1/ 0.0   |
| rogermiranda1000       |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| svirot                 |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |
| 謝致邦 (XIE Zhibang)    |     0 |      1 |      0 | 0.0/ 0.1/ 0.0   |

Prologue

Man, that was a lot, sorry in advance 😅 What do you fine folks think?

Cheers

[vadimgrn]

Hello, thank you for your interest in my project.

• About legacy and authors/commits. This information is irrelevant. The repo was indeed cloned from https://github.com/cezanne/usbip-win. But there is no legacy code left. WDM driver was ditched. These projects were written from scratch: usbip2-ude and usbip2-filter drivers, resources, libusbip, usbip and devnode utilities, GUI, installer. libdrv was completely overhauled, its name is the only legacy. If you find inherited code somewhere, it must be libdrv only. In such case I will rewrite it. Use 'git blame' for real information and don't use number of commits to reveal authors. Currently this repo has nothing common with cezanne/usbip-win except for the names of some projects.
• I don't mind to change the license for the project, absolutely. But how can I do that? Is it legal to change the license by simply replacing it to a less restrictive one? I am not sure about that. Why smartphones manufacturers must release modified versions of Linux kernels if they can just clone a kernel and change its license. They can't do that, neither can I.

[fredemmott]

Is it legal to change the license by simply replacing it to a less restrictive one?

Usually yes, as long as you own the copyright for every part, or have permission from everyone who does own copyright of any part, e.g. explicit permission from all contributors or a CLA.

. Why smartphones manufacturers must release modified versions of Linux kernels if they can just clone a kernel and change its license

They don't own the copyright or have permission from the owners.

[nefarius]

That's really great news, that simplifies the situation tremendously. I'll later invest in a more thorough reply, making suggestions in helping which license to choose etc. Exciting to see all the insights here!

[nefarius]

Alright, I'll try my best to be brief 😅

I will address two independent topics: anything Windows driver related and "the rest".

Many permissive licenses appear similar on the surface, one of the major differences is the explicit grant of patent rights. What that even means:

An explicit patent grant in a software license means that contributors grant users the right to use any patents they might own that are necessary to use, modify, or distribute the software. This helps prevent contributors from later suing users for patent infringement based on the contributed code.

Since we're dealing with established tech here (Widows Driver SDK comes with its own license, USB Specification is public) I doubt there is any realistic threat here we have to think about protecting us from. Anyone feel free to correct me on this one!

On the other hand we wish to at least keep the following from adopters:

• Attribution Required
• Modification Notices Required

Driver license (no pun intended)

As mentioned, the most important part is to comply with the WHQL restrictions first and foremost. This means we need to ensure, that the license chosen is not "leaking over" copyleft into closed components you have to link against. At the same time we wish for adopters to properly credit.

Recommendation

• ✅ My recommendation: BSD 3-Clause License
  • Even more permissive alternative: MIT
  • Example adopters
    • Red Hat's Windows paravirtualized drivers for QEMU\KVM
    • My own Windows kernel-mode Bluetooth Profile & Filter Drivers for PS3 peripherals
• ✅ Alternatively if the explicit patent grant is important: Apache 2.0 License
• ⚠️ Borderline acceptable due to weak copyleft: Mozilla Public License Version 2.0
  • Example adopters
    • ThinkPad TrackPoint driver for Windows
• 💀 Frighteningly borderline to unacceptable: Lesser GPL
  • Example adopters
    • Donaky

Userland components

Here we can focus on a different topic: making sure we do not throw a wrench into the way the libraries might be interacted with while remaining proper accreditation and giving an incentive to contributors. ChatGPT honestly did a better job summarizing than I ever could, so excuse me for exposing you to A.I. content 😬

• MIT License (Most permissive)
  • Allows anyone to use, modify, distribute, and link against your software, even in proprietary projects.
  • No copyleft restrictions, no obligations beyond attribution.
  • Best for maximum adoption and ease of use for commercial projects.
• BSD 2-Clause or BSD 3-Clause License
  • Like MIT, but with additional disclaimers and restrictions (e.g., BSD 3-Clause prevents using the original authors' names for promotion).
  • Also highly permissive and allows linking with closed-source software.
• Apache 2.0 License (Best if you care about patent protection)
  • Permissive like MIT but includes an explicit patent grant, protecting users from patent-related claims.
  • Requires attribution and notices of modifications but does not impose copyleft.
  • Recommended if you want to protect commercial users from potential patent risks.

Recommendation

• ✅ My recommendation: MIT
  • In use in another project of mine
• ✅ Almost equally perfect fit: Apache 2.0 License

TL;DR:

Driver BSD-3-Clause and libraries MIT or entire repository Apache 2.0.

👋

[nefarius]

• I don't mind to change the license for the project, absolutely. But how can I do that? Is it legal to change the license by simply replacing it to a less restrictive one? I am not sure about that. Why smartphones manufacturers must release modified versions of Linux kernels if they can just clone a kernel and change its license. They can't do that, neither can I.

You being the sole primary contributor/owner/author of the majority of the project makes things rather easy; you only have to consult yourself if you want to make the change and when you decided to do so, make a note somewhere (in the README) that starting with commit hash XXX a license change has happened.

[cbrauers]

Just did a quick git-blame exercise, and it seems that the vast majority of (surviving) lines contributed by KyungWoon Cho and cpeacock were entries in userspace/usbip/usb.ids. Quick sampling of other commits shows that most of the remaining lines are also stuff that is hardly copyrightable by the contributors of those lines, like unchanged boilerplate in the project config files, verbatim copies of the GPL and trivial lines like an opening or closing brace that git happened to match on a commit.

[vadimgrn]

Actually usb.ids was added from here http://www.linux-usb.org/usb-ids.html. It does not matter who added it. I've updated it several times.
P.S. Vadym Hrynchyshyn and vadimgrn, it's me.

[vadimgrn]

OK, tomorrow I'll edit remaining lines that were edited by someone else. After that I could change the license, the question is which one to pick for compatibility with WHLK.

[cbrauers]

Actually usb.ids was added from here http://www.linux-usb.org/usb-ids.html. It does not matter who added it. I've updated it several times. P.S. Vadym Hrynchyshyn and vadimgrn, it's me.

Exactly my point. It looks like they contributed thousands of lines, and of course the project would likely not be what it is without them, but ultimately once you account for third-party sources, there is almost nothing left that was not committed by you.

[vadimgrn]

The 'develop' branch has a new license and is ready to be merged into master. What do you think about that, is everything okay?

[nefarius]

Great choice! As per my prior remark I recommend to put a paragraph similar to this somewhere in the README so it's clear that at a certain commit a significant change has happened. Other than that, LGTM!

[vadimgrn]

The license has changed. But it seems that modifications have added some issues that need to be fixed (I've tested a flash drive, it does not work).

[vadimgrn]

False alarm, there were the notorious Win11 24H2 network issues. Drivers are OK and work fine.