on forks

One topic that has been the cause of confusion lately is my assertion that it’s wrong for Debian to do what they’re doing to XULRunner against the authors wishes. How can I both believe in the principles of free software, yet believe it’s wrong for Debian to change XULRunner in this way? Aren’t these beliefs contradictory?

No, in fact they’re not. Just because you can do something doesn’t mean you should. There are right ways to fork software like this, and there are wrong ways. Let’s quickly review the story, but changing some of the names around.

the wrong way

The Debian Project produces a series of ISO disk images that comprise the Debian Distribution. Because these ISOs are very large, mirrors are used to distribute them and spread the load out across many servers. Debian depends on this mirror network to distribute its software – not having any single predictable revenue stream means it depends entirely upon the generosity of others.

Let us imagine that Morris the mirror operator provides Debian with 30% of its bandwidth. A generous contribution indeed! One day he rsyncs his mirror and sees a new Debian release has been downloaded. Curious, he mounts the disk images and starts poking around. While he’s there he seems some obvious bugs and decides to make some simple improvements – after all, he’s allowed to by the terms of the GPL and he means well so why not? So he goes in and changes a bunch of packages, repacks the ISOs and goes on his way. Morris doesn’t bother telling the Debian project what he’s done, he’s a busy guy.

So people start downloading things that they believe to be Debian, which looks and feels and smells like Debian, but actually isn’t Debian and when they install it things crash and burn, and generally don’t work as they expect. So they log onto the net and start posting to web forums and mailing lists how crap the new Debian release is and how it didn’t work at all, and WTF are those Debian guys smoking to produce such a release? A few people will say they can’t reproduce those problems but we’re talking about computers here so nobody is surprised anyway.

So Dave the Debian developer gets a bug report he can’t reproduce, and starts investigating and eventually finds out what Morris has done. And Dave is pretty angry because he is seeing his work being trashed in public by all these angry users, through no fault of his own. So he goes to Morris and says, hey, Morris, I know you mean well but please don’t change Debian like this against our wishes. And Morris blows Dave off and points out that the GPL lets him do exactly this. So Dave posts an angry blog entry saying Morris sucks, and Morris mocks Dave saying he doesn’t understand free software, and meanwhile people are still downloading broken software and ending up thinking Debian is crap.

Now Dave does understand the GPL, but he also understands that this situation is why trademark law is invented. He wouldn’t mind if Morris had done things differently so there was no confusion over his work, and end users were able to make an informed decision about what version they wanted to use. But they can’t, the software has been silently modified during the act of distribution to the masses, and users don’t suspect anything is amiss.

the right way

Oh goodness me. What a mess. In reality, this situation couldn’t happen because we have trademark law to stop it and Debian(tm) is a trademark of Software in the Public Interest, Inc. And actually Mozilla Firefox(tm) is trademarked for exactly the same reason, and if MozCorp trademark the name XULRunner then Debian would be forced to rename the modified package to something else, DebianMozLauncher or something sufficiently different that it couldn’t cause confusion, and Debian packages that depend on XULRunner would have to depend on the actual XULRunner package and not DebianMozLauncher so no playing tricky games with dependencies thankyou very much.

Obviously though, most open source projects aren’t as large or high profile as Mozilla or Debian is and no trademarks are held on the name. In this case there’s no legal way to stop distributors modifying the software as they distribute it yet passing it off under the same name. Worse, twice now I’ve seen Debian developers use this fact as a threat, which is entirely unacceptable. But just because filing for a trademark is more effort than most open source devs are willing to go to doesn’t invalidate the underlying principle – people should know what they’re getting, and when upstream own the name they should own the software.

Don’t like it? Fork it … the right way. Create a new name, a new website, describe the differences so people know what they’re getting and have people review the products separately. Ubuntu forked Debian in the right way. Debian forked XULRunner in the wrong way.

another example

This post is a bit personal for me, because I’ve had to deal with exactly the sort of problem the XULRunner people are now experiencing, but with Wine. Debian has packaged Wine in a way different to upstream, and this can cause extremely subtle bugs. One incident that sticks in my mind is where I wasted an entire Sunday afternoon and evening working with a user to track down why a program was crashing when they selected a menu item. It turned out that when the program started it was querying a registry key that didn’t exist, and squirreling away a NULL pointer in some internal data structure. And when it tried to access that key it crashed. Why was the key missing? Because the installer invoked the regedit.exe program to merge a pre-written .reg file into the registry, which is more convenient than using the registry apis. No error checking of course because on Windows this cannot fail. And why was regedit.exe missing? Because Debian decided it looked like a “utility” and as such should be in an optional package, which the user didn’t know about and hadn’t installed.