Developed On Hackaday: License Incompatibilities And Project State

OLED display, blue LED and Smartcard

mooltipass top pcb

It has been a while since we wrote an article about our ongoing offline password keeper project, aka the Mooltipass. Our last post was asking our dear readers to vote for their favorite card art, so what have we been doing since then?

For the last few weeks we’ve mostly been improving our current PCBs and case design for the production process to go smoothly. The final top PCB shown above has been tweaked to improve his capacitive touch sensing capabilities, you may even see a video of the system in action in the Mooltipass project log on hackaday.io. We’ve also spent some time refining the two most popular card art designs so our manufacturers may print them correctly. We’ll soon integrate our updated USB code (allowing the Mooltipass to be detected as a composite HID keyboard / HID generic) into the main solution which will then allow us to work on the browser plugin.

It’s also interesting to note that we recently decided to stop using the GPL-licensed avrcryptolib. Our current project is CDDL licensed, allowing interested parties to use our code in their own project without forcing them to publish all the remaining code they created. The GPL license enforces the opposite, we therefore picked another AES encryption/decryption implementation. This migration was performed and checked by our dedicated contributor [Miguel] who therefore ran the AES NESSIE / CTR tests and checked their output, in less than a day.

We’re about to ship the first Mooltipass prototypes to our active contributors and advisers. A few weeks later we’ll send an official call for beta testers, just after we shown (here on Hackaday) what the final product looks like. Don’t hesitate to ask any question you may have in the comments section, you can also contact us on the dedicated Mooltipass Google group.

94 thoughts on “Developed On Hackaday: License Incompatibilities And Project State

        1. I used to work on satellite products that used embedded linux. The kernel and all of the OS libraries were unmodified GPL’d code. The proprietary code was created as an application so that it did not have to link with GPL’d components. The only thing that was required to GPL were the drivers, but those were rather minimal.

          If linux required the applications running on it to be GPL, then it probably would not have seen widespread adoption.

          But what is wrong with people using the code for their own benefit? People are able to use OpenSSL in that manner. It’s awesome when working on a project at work where you can use a component such as that to save a ton of time.

        2. Why is this a bad thing? Companies have used Linux to produce all manner of consumer hardware more cheaply and with higher quality than they would otherwise have been able. In turn we can buy these products which otherwise would have been far more expensive and lower quality, and may not have existed at all.

          You can say that “GPL software should only be usable by people contributing to the GPL software community” but that is the opposite of “free”.

    1. The GPL is way too restrictive for some uses. The license is also incompatible with some other licenses, and can be cumbersome for making profit. Why should people be stopped from making profit??? Forcing people to share source code drives some away because you can’t work for free. Also GPL isn’t the only license out there. Personally I prefer the BSD license, I can release code without worrying about the forced publishing of the GPL. People need to stop crying over which license is used, it’s up to the project not the fanboys.

  1. The GPL does NOT force people to publish the source of whatever modifications they make. It stipulates that if you publicly distribute any binaries derived from the GPL’ed project or modifications thereof, you must also provide the source (or an offer to provide it) to anyone who receives the binaries from you. There is nothing hacker-unfriendly about this, and it only serves to prevent companies or other “malicious” entities from restricting the freedoms of the users when making products derived from a free software project.

    Sun made the CDDL to prevent Linux from using code from Solaris while still claiming to to be Open Source. Please rethink this decision, and make sure that everyone involved understands what each license actually does.

      1. Any modifications that you make do have to be under the GPL, but you only have to distribute the source if you also distribute the binary. What is the situation that you’re concerned about re: the GPL? Are you trying to allow people to sell a proprietary version of the Mooltipass without providing the source to any modified firmware?

        1. That’s not our goal at all, and we hadn’t thought of Mooltipass copies to be honest (thanks for bringing that up).
          However, if I’m not mistaken with our current CDDL license people that’d like to copy our firmware would only be able to sell missing features of the current Mooltipass… which would indicate that we missed a crucial thing when developing it wouldn’t you agree? Moreover, that wouldn’t prevent us from implementing after.

          1. Beyond issues of corporate betrayal (think Makerbot), you should think about license compatibility. The CDDL is not a common license for projects that did not originate at Sun, largely thanks to GPL incompatibility. If someone wants to use the Mooltipass code with a GPL library (like you guys are), they will be unable to release their code or binaries because they cannot satisfy the CDDL and GPL simultaneously.

  2. So, maybe I missed something, but; how does changing the license help the Mooltipass project? So now, with the new license, someone could make modifications to the code, and sell them without releasing the source? How does that help anybody?

    1. Not only is the GPL itself an issue with some freedoms (my freedoms in particular :) and its a terribly long read too (and rarely do people agree what it means), and its advocates are horrible and drag their politics into every damn project…(see how it is causing waves in this one as we speak?)

      If you like GPL that is fine too, pick that for _your_ projects. but stfu with your whining when other people choose something else. Your political agenda is not most peoples reason to code. and GPL is far from the only choice – and imho its far from the best for (among other) the reasons above.

      1. Of course people should be able to choose any license they want for their own code. However in this case HAD has been pretty clear that the goal of the project is to give future hackers the freedom to use the software in the widest possible array of projects. Choosing the CDDL does the opposite: it PREVENTS future hackers from combining Mooltipass code with any GPL code.

        Is the GPL the best choice in this case? Perhaps not. That’s why it should be changed to a permissive license like the Modified BSD or X11 (MIT License).

          1. Thanks for the reply!

            You’re right, neither it nor the GPL, nor pretty much any other open source software license prevents people from doing anything with it at home. But consider this: [Hacker X] links mooltipass code to genericLinuxGPLAuthenticationSoftwareY for superAmazingProjectZ. This is fine. Now [Hacker X] wants to share the build log of that project on the web. Still fine. But now [Hacker X] wants to share the code for the project. What now? The code can’t be shared, because that is distributing a derivative work.

            So yes, it CAN be linked to incompatible code for personal projects; those projects just can’t be shared with anyone :(

        1. “HAD has been pretty clear that the goal of the project is to give future hackers the freedom to use the software in the widest possible array of projects.”

          If this was the case then the code will be released under the public domain license.

    1. Having just tried to start a commercial Ada project, it isn’t all FUD. There are versions of GNAT, the Ada runtime library, that are gpl. Not lgpl, but pure gpl. I didn’t dig deep enough to see of they were v2, v>=2, or v3; v3 would have scrubbed even making it a webservice. It took a bit of sorting to figure out which runtime my distro of choice had already set me up with, and if I had pushed a test page public I could have been caught between commercial interests on one side and copyrights on the other.

      Not to say the project won’t end up being open source; but I have this strange BSD-like thought that it should be my choice.

      disclaimer: i’m not working on the mooltipass, so i have no idea what the gpl issue is. CDDL wouldn’t be my first replacement choice.

      1. Yes, and thats a real pity. Ada is a nice language that could use some positive press to stimulate adoption now that the DoD no longer mandates it. A proprietary runtime is not going to help…

  3. It’s a very simple question, that still seems to be unanswered: What possible reason could you have for NOT wanting the Mooltipass source to be covered by the GPL?

    Any HaD project should be furthering the goals of free and open source software, not hindering it. Why chose a license that is specifically incompatible with the much more popular GPL?

    If the goal is to remove obstacles between the public and the source, you should be going with a MORE permissive license than the GPL, like BSD or MIT.

    1. Simple. GPL isn’t a totally free license. If you want to make your stuff totally free, use MIT, BSD, or one of the creative commons licences.

      Using GPL is like a virus, forcing itself on projects that might otherwise be offered under more permissive licences.

      Making the choice, as here, between GPL and a more permissive licence based on what’s best for the people who want to take and use the project in new ways can only be a good thing for all concerned.

      1. It’s a genuine question, I mean, if they can’t find a license that suits is there a reason that they couldn’t produce their own license, that’s suited to the project?

  4. It’s in the summary.
    “…allowing interested parties to use our code in their own project without forcing them to publish all the remaining code they created. The GPL license enforces the opposite…”

    Factually accurate != FUD. The GPL specifically limits the freedoms of people who wish to use code derived from it.

    As stated above by a GPL proponent:
    “If someone wants to use the Mooltipass code with a GPL library (like you guys are), they will be unable to release their code or binaries because they cannot satisfy the CDDL and GPL simultaneously.”

    That’s not the fault of Mooltipass – that’s the fault of the GPL’s virality.

    Tilt at a different windmill, GPL advocates – not all software is GPL, and not all software is GPL-compatible. If you want hackability, you pick a license which doesn’t exclude other licenses.

    1. Bullshit. GPL keeps things open, and enforces that. And in true hacker mentality, allows anyone to tinker with it. For a site that’s called hackaday, the GPL is a perfect fit.

      1. Depends on the hacker. I’d like to make decisions about my own code, and linking to a gpl library can (can, not does) remove that choice. GPL 3 says that I don’t even have to give out the binary, just access to it via the web.

        Personally, I favor a bsd-like, use this as you wish but tell me what you use it for; duel licensed with gpl for the fanatics who find my bsd-like “not open enough” (meaning more open but not gpl compatable because, oh gods, they’d have to write me an email).

        1. > GPL 3 says that I don’t even have to give out the binary, just access to it via the web.

          AFAIK that is what AGPL 3 is for, the normal GPL 3 doesn’t mandate that

    2. Ad far as I can tell, the specific situation that the team is concerned about is allowing individuals to create a project based on Mooltipass code without the annoyance of distributing source code changes. The GPL does not require these people to do anything unless they distribute the software, so stating or implying that the GPL forces one to release anything is incorrect and could rightly be called FUD.

      Stated simply, the GPL requires that you provide sources to anyone who you distribute the software to. It does not require that you distribute the software at all.

      1. That “annoyance” is a core part of what we believe in. You take what the world has to offer, enhance it as needed, and share so the world may benefit. Ensuring software stays free is not limiting freedom, it is securing it.

        1. It doesn’t ensure that, though. Let’s pretend Mooltipass goes GPL, and I make a Super-Mooltipass and enhance the hell out of it. But I only sell/give it to friends and family who I know don’t code. No one asks me for the code, the “super” part stays hidden from the world. As long as I don’t provide one to you, I owe you nothing, even if all of my “super” code is just your gpl library, because I haven’t distributed to you.

          Few FOSS licenses deal with that issue; which makes it’s use as a rally-cry for “gpl freedom” a strange one.

      2. It’s utterly disingenuous to suggest that the license forces you to do nothing in one breath, then in the next piously inform someone that it requires you to distribute source along with binaries. It’s downright dishonest to claim that someone is spreading fear, uncertainty and doubt when they’re completely factually reporting that that same requirement can render someone incapable of mixing other licenses with GPL.

  5. Clearly this is a very polarizing issue. I think anybody that has developed software for a living may in some cases have some misgivings about using the GPL. There are some very limiting clauses in the GPL as it relates to rights of individuals to use the code they create in something that maybe should not be open source for whatever reason. I am by no means opposed to open source at all, and I think it has done some wonderful things for software in general, but in reality, if you don’t like the license terms, use another implementation in YOUR project that is GPL compatible. Lets be open minded here: Not everybody agrees with the virality of the GPL. They are entitled to that opinion! For one reason or another there were misgivings about it, and they chose to use something else. Does this directly affect you in any way? Probably not. Is the mooltipass still a really cool, and useful gadget? You bet! It will still do its job, GPL or not, and if you want, well make some of your own original firmware for it that is completely GPL, and release it to the masses. Who is stopping you?

    1. The issue is this is a site called Hackaday, and the hacker mentality is all about being open and sharing, which is exaclty what the GPL is all about, and keeping it that. Ensuring that things stay open, free, and so that anyone can tinker with it is not a limitation, it’s just making sure it stays open and free.

      It might be different if this site was call “Every man is an island and I gained all my knowledge and skills in a vacuum and fuck sharing”-aday.

      1. Farbeit for me to feed a troll, but I think your forgetting accepting and tolerant there in your description of the hacker mentality. Opinions and feeling differ! Again, I ask, What is stopping YOU from creating your own original firmware for the mooltipass device, and making it completely GPL compatible? Whats stopping you from even creating your own similar device? You can tinker and play with the current device all you want! The schematics and existing code are available for you to review at your leisure… Even the mechanical design. If I were to split hairs, I think I could find some kind of hypocrisy in every situation I looked at, including those dealing with the open source, and hacker community itself… IN any case, I say relax and go have a beer or whatever you do on your spare time. No need to burst a blood vessel over this one…

        1. You’re moving the goalposts again. Once again, for a site that purports to be about hacker culture, sharing, and openness, GPL is the correct license as it ensures those. Not to do so is corporate betrayal.

          1. It does not ensure anything except rendering your source code immiscible with many other licenses. As has been repeated ad nauseum above, the GPL does not require you to share your source code unless you intend to distribute binaries. However it does expressly forbid you from linking code with incompatible licenses to it. This is not a “feature” of several other licenses, of which the CDDL is one.

            “Adding freedom” by removing rights and privileges is something best left to world governments, not hacker culture.

          2. And I say 2 clause BSD is more open, allowing everyone to look, use, reuse, and sell the code with no restrictions. No goalpost movement, just a different view. (and a flame war!)

        2. More, using the GPL does not make one “forget accepting and tolerance”; far from it, it enforces those values you imply to be defending.

          And watch who you label a troll, as it seems that applies to you more than anything as you deflect and mislead.

          1. Using inflammatory language such as “FUD” and “deflect and mislead” is a clear indication that you have forgotten acceptance and tolerance. Particularly when you are doing so to support arguments that your intolerance of non-GPL licenses in some way makes you more free and better than the people you are attacking.

            Please consider the quality of the discourse and consider sharing actual reasons that the GPL would be more suitable for this project than more permissive licenses.

            I can think of one main reason, which is that a majority of the cryptographic libraries which underpin the internet are licensed compatibly with GPL, and thus may not be compatible with CDDL. Can you think of others? I’ve already stated above my objections to knee-jerk GPL boosterism, but it’s undeniable what the GPL and its advocates have done to support FOSS over the years.

      1. I think there are instances where it can. Lets face it; pats on the back from the community wont put food on my table and keep my lights on! Is it bad for somebody to want to benefit from their work in some way, even if perhaps that way happens to be financial? Not only that, If I wrote some piece of code as a developer, and released it under the GPL, then later down the road, wanted to reuse the code that I created in something I might distribute, I would then be burdened with the obligations implicated by using the GPL for the reused piece of code. I would have effectively given up my rights as a developer to use the code that I created however I want, whether that is to make money or not! In this manner the GPL is good, as it obligates the users of GPL code to share what they create, but it can also have negative side effects: in this respect the virality of the GPL could even cause development of something previously released under the GPL to stagnate, as developers might find themselves in a bind because of some obligation out of their control. They might re-create the functionality in that code in a different and original fashion, wholly different from the previous implementation, maybe improve it in some drastic or fundamental ways, and may decide that because of the burdens of the GPL, they don’t want to release it that way. The other side of this coin is that the community may contribute in some way to improve upon or enhance the GPL code. I think is could be a double edged sword in that respect. In reality, it is up to the developer how or under what license they want to use. We as consumers/users of the code can decide if we agree with their perspective or not, and choose not to use their code if we don’t agree with them.

        1. If you write something as gpl and don’t give exclusive license rights, and only reuse your own code (not contributed gpl code) then you still have copyright on that original bit and can relicense as you choose. You could not remove that code from the gpl landscape, but you can always reuse your own code in your own projects; as long as you have copyright (didn’t code for work) and it was not exclusive (again a contract to a project).

      2. I’ve got another argument which I’ve interlaced above – the GPL explicitly limits what licenses are compatible with a few of its stickier clauses. This means that the scope of the APIs and libraries you have at your disposal shrinks when you include even a single GPL library in your work, unless you do not intend to distribute or make available your binaries or (with GPLv3) a service based on those binaries. Even if you wanted to distributed your source code, you would still be in violation of the GPL agreement by linking with those incompatibly-licensed codebases.

        That, rather than “I want a pile of money and nobody should ever see my magical special code” is what I consider the only valid criticism of the GPL.

        1. Right, but by releasing software under CDDL, which is GPL incompatible, you’re shrinking the scope of available software anyway because future people can no longer use ANY GPL code (of which there is quite a bit, as you pointed out above). Avoid the problem entirely and use the Modified BSD. The code stays free, but can be combined with both open and closed source programs in the future.

          1. The reason others cant use GPL is because GPL disallows it (they limit the freedom of the coder to give freedom to the code). How can you blame other licenses (some older than GPL) for not being compatible with including code from a purpusely limiting license?

            What you consider limiting yourself, I consider freeing myself. It is all about point of view. just like someone mentioned earlier that what non-GPLers find annoying about GPL is a “core part”(from comment above)

            Pick what fits _you_ but do not go fanatic religious on everyone else, we want _our_ freedom too. Monocultures are freaking boring after all.

          2. I’m not blaming other licenses at all, AND I’m NOT advocating that GPL be used in this program. I’m advocating the most lax and permissible license of all, Modified BSD.

            Also, if you think that aspects of GPL are annoying and restrictive, then you should think the CDDL is even worse. It is just as strict as the GPL, BUT is incompatible with the GPL which means no one can link a CDDL with any GPL code in the future. The ONLY “benefit” is that it allows the program to be linked with closed source programs which doesn’t seem like much of a benefit when you lose the ability to link with the entire world of GPL programs (which is enormous). This isn’t being fanatical, this is recognizing the ramifications of choosing a bad license.

            If you want it to be truly unlimited then use one of the unlimited licenses—i.e. Modified BSD. Anything goes with it!

          3. Right, choosing a license which is specifically incompatible with GPL is a bad thing. Choosing GPL instead because it’s compatible with the GPL is a bad thing. Choosing some actually free-as-in-liberty license like MIT or BSD is a good thing.

  6. Please reconsider this decision. The problem with the CDDL is not just that it isn’t the GPL, it’s that it is legally incompatible with the GPL (http://www.gnu.org/licenses/license-list.html#GPLIncompatibleLicenses). Any code released under the CDDL can NEVER be combined and re-released with ANY GPL code in the future (http://www.gnu.org/licenses/gpl-faq.html#WhatIsCompatible) unless the author of the original code re-licenses it.

    Why is this is a major problem? Because there is a crap-ton of code that already exists which is licensed under GPL. What if the features of this device expand and require new libraries? New firmware? What if someone wants to use this in a way we don’t see now? Future hackers would not be able to incorporate any of the wealth of available GPL code.

    Setting aside the debate about whether or not the GPL is “viral” or “damaging” (no, and no, although I recognize that not everyone agrees on this ;) ), why restrict the code in any way? If the goal is to allow future hackers the freedom to do anything with the code but NOT force them to distribute their source code then please use the Modified BSD license (http://www.gnu.org/licenses/license-list.html#ModifiedBSD) This is a lax, permissive license that will allow people to use the code in any way they see fit. Code released under the Modified BSD will remain compatible with both GPL software AND proprietary (a.k.a. secret source code) software.

  7. I think I remember there being an issue in comments that had multiple URLs linked which pushed them to “awaiting moderation”. Here’s the comment I left an hour ago with the URLs as follow ups:

    Please reconsider this decision. The problem with the CDDL is not just that it isn’t the GPL, it’s that it is legally incompatible with the GPL. Any code released under the CDDL can NEVER be combined and re-released with ANY GPL code in the future unless the author of the original code re-licenses it.

    Why is this is a major problem? Because there is a crap-ton of code that already exists which is licensed under GPL. What if the features of this device expand and require new libraries? New firmware? What if someone wants to use this in a way we don’t see now? Future hackers would not be able to incorporate any of the wealth of available GPL code.

    Setting aside the debate about whether or not the GPL is “viral” or “damaging” (no, and no, although I recognize that not everyone agrees on this ;) ), why restrict the code in any way? If the goal is to allow future hackers the freedom to do anything with the code but NOT force them to distribute their source code then please use the Modified BSD license. This is a lax, permissive license that will allow people to use the code in any way they see fit. Code released under the Modified BSD will remain compatible with both GPL software AND proprietary (a.k.a. secret source code) software.

    1. Of all the gpl stuff, this is an argument I can agree with. CDDL is crap. If you want to force derivative code to be open, go gpl>=2 or 3 at your choice. If you want code to be reused, go bsd/mit/apache or something else; even the mozilla license (it can be redone, but can’t be called mooltipass°).

      °drastic over-simplification of the mozilla license and the branding stuff both they and arduino have done. But it may be on your minds.

    2. I wonder if some of the reasons they chose not to use the Modified BSD license include the fact that the code ‘could’ be used in a closed source application without any disclosure. It seems to me that the CDDL forces you to release the covered source, but allows linking with non-open source code, or other things which are licensed under different terms that the CDDL itself, and distributing it as a whole product.

      1. I can sort of see that, but CDDL is a bad choice. Preventing undisclosed closed-source usage at the expense of ever linking with any GPL code seems like a poor trade off.

      1. cRaSh Yourexpensivecar doesn’t seem commercial to me

        i’m not a good programmer (i can write basic and i’m learning c a bit, thx to the arduino), and i think i can’t help very much, i just wanted to learn.

        greetz cRaSh

    1. CDDL is a rather strange (and uncommon!) decision in my eyes. Why not go for simplified BSD or LGPLv2? It gives maximum compatibility with other open source projects while giving freedom to everyone.

  8. How to lose interest and support from the hacking crowd in one easy step:

    “”It’s also interesting to note that we recently decided to stop using the GPL-licensed avrcryptolib.
    Our current project is CDDL licensed, allowing interested parties to use our code in their own project without forcing them to publish all the remaining code they created.
    The GPL license enforces the opposite””

Leave a Reply to DodoCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.