Linux is not free software (and nobody cares)

Some days ago, I had the opportunity of attending a talk by Richard M. Stallman, about free software fundamentals (yes, the typical talk by Stallman). Among the many topics that he addressed, he talked about Linux not being free software. Stallman said that within the source code distributed by Linux you will find non-free software. At a first moment, I thought that Stallman was exaggerating, and I did not ask him about it.

But the affirmation got highlighted by a Spanish newspaper, and was commented in sites like Barrapunto.com. The conclusion of the debate was that, as usual, journalists do not have a clue aboue free software, open source and all that stuff.

I decided to investigate further to find out whether or not Stallman was right. I found that there is a Linux kernel source code package distributed by the Free Software Foundation, called LinuxLibre. Actually, there is a list of common distros that distribute the (so-called) non-free version of Linux. Surprisingly, you will find Debian GNU/Linux among them. I say surprisingly because Debian is known to be very strict in all that regards to free software. If a piece of software does not comply to the Debian Free Software Guidelines, it does not get included in the distribution.

How come they are distributing non-free software?

Coming back to LinuxLibre, they also distribute the scripts that are used to remove the non-free parts from the Linux kernel upstream source code. For the latest version that I looked at (2.6.28), the script removes or modifies 28 source code files. Here is complete list of suspicious files, with the link to the source code in the Git repository of Linux:

• drivers/char/ser_a2232fw.h
• drivers/char/ser_a2232fw.ax
• drivers/net/ixp2000/ixp2400_rx.ucode
• drivers/net/ixp2000/ixp2400_rx.uc
• drivers/net/ixp2000/ixp2400_tx.ucode
• drivers/net/wan/wanxlfw.inc_shipped
• drivers/net/wan/wanxlfw.S
• drivers/net/wireless/atmel.c
• drivers/scsi/53c700_d.h_shipped
• drivers/scsi/53c700.scr
• drivers/scsi/aic7xxx/aic79xx_seq.h_shipped
• drivers/scsi/aic7xxx/aic79xx.seq
• drivers/scsi/aic7xxx/aic7xxx_seq.h_shipped
• drivers/scsi/aic7xxx/aic7xxx.seq
• drivers/scsi/aic7xxx_old/aic7xxx_seq.c
• drivers/scsi/aic7xxx_old/aic7xxx.seq
• drivers/scsi/53c7xx_d.h_shipped
• drivers/scsi/53c7xx.scr
• drivers/scsi/sym53c8xx_2/sym_fw1.h
• drivers/scsi/sym53c8xx_2/sym_fw2.h
• firmware/dsp56k/bootstrap.bin.ihex
• firmware/dsp56k/bootstrap.asm
• firmware/keyspan_pda/keyspan_pda.HEX
• firmware/keyspan_pda/keyspan_pda.S
• firmware/keyspan_pda/xircom_pgs.HEX
• firmware/keyspan_pda/xircom_pgs.S
• sound/pci/cs46xx/imgs/cwcdma.h
• sound/pci/cs46xx/imgs/cwcdma.asp

Let's choose one randomly. For instance, the file drivers/net/ixp2000/ixp2400_rx.ucode. Here is an extract of that file:

     .insns           = (u8 []) {
                      0xf0, 0x00, 0x0c, 0xc0, 0x05,
                      0xf4, 0x44, 0x0c, 0x00, 0x05,
                      0xfc, 0x04, 0x4c, 0x00, 0x00,

(120 similar lines)

                      0xe0, 0x00, 0x02, 0x00, 0x00,
                      0xe0, 0x00, 0x02, 0x00, 0x00,
                      0xe0, 0x00, 0x02, 0x00, 0x00,
                   }

What is that? It is the firmware of a network processor, probably used in network cards, or maybe I am wrong, and it is any other kind of hardware. In any case, it is included in the upstream Linux kernel source code distribution.

That piece of software comes in binary form, although embedded in a source code file. It is called a blob. Therefore, it is impossible to modify it. In other words, it is not free software. More dangerously, it is impossible to know whether that piece of software does what is supposed to do, or something else. Being a network driver, it is clear that is a risky part of the kernel.

The rest of files contains similar stuff.

So did this non-free piece got included in Debian (and other distributions) unnoticed? No, it did not. Actually, it became a heavy discussion in the project, that was solved with a vote by the members of the project.

The winning option was Assume blobs comply with GPL unless proven otherwise.

Funny. It is very easy to prove otherwise. Just try to understand what the heck that piece does. Or even better, modify it, recompile, and test whether it still works.

After this vote, the scretary of Debian resigned because he was accused of manipulating the vote counts (that he did not).

If you read all the options, you will see that there were two main fronts: getting a new release so users could enjoy a newer Debian, or cleaning the distribution out of non-free parts. It is paradoxical that the Debian Manifesto says that "[Debian GNU/Linux] must be done by a organization to sucessfully advance and advocate free software without the pressure of profits or returns". Yet they are pushing Lenny to be released and the non-free parts to be hidden under the carpet.

Summarizing, Linux is distributing binary-only firmwares, hidden as source code files (or blobs), and Debian is aware of that, and still distributing them. They assume that those binary-only do not violate the Debian Free Software Guidelines.

Regarding all this story, Theodore Ts'o, a kernel developer, advocates for this option of accepting blob as GPL-compliant. He raises the old debate between pragmatism and idealism, defending that binary-only firmwares are necessary to cover users needs, and that defending free software because of itself is putting ideas over people.

It is easy to blame Stallman or Debian to be radicals of religious nature, that put ideas over people. It is not easy to blame others like OpenBSD to be so though. OpenBSD does exclusively include free software because of security reasons. If they can not read the code, they can not trust it. OpenBSD has rejected to include any kind of blob, because of the following reasons:

• Blobs can be 'de-supported' by vendors at any time.
• Blobs cannot be supported by developers.
• Blobs cannot be fixed by developers.
• Blobs cannot be improved.
• Blobs cannot be audited.
• Blobs are specific to an architecture, thus less portable.
• Blobs are quite often massively bloated.

If a blob were GPL, it would not have all those drawbacks. If all this blob debate were of a religious nature, OpenBSD would have not any concerns about getting them included in its system.

I wonder how long will it take for the first malicious blob to get included in Linux and massively distributed by third parties like Debian. Maybe everybody will realize all of the sudden that blobs are not free software, and about the dangers of non-free software (that are even worse when we close our eyes and keep thinking that is still free software).